[Snort-users] MISC IP Reserved bit set

Ofir Arkin ofir at ...949...
Mon Oct 15 04:01:01 EDT 2001


Jean,

There is no reason what so ever for the IP unused bit to be set (this is
the one next to the MF and DF).

With my ICMP research I did use it to identify several operating systems
according to their answers for Echo requests with the IP unused bit set.

The packet is crafted in my opinion. 
TTL is set to 153
IP ID is 153...
Protocol Number 204...

G :)

Maybe an NMAP protocol scan, or something similar.


Ofir Arkin [ofir at ...949...]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Jean
Michel BARBET
Sent: ג 09 אוקטובר 2001 8:16
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] MISC IP Reserved bit set

Hello,

I have used snort for about 2 months now and it is an unvaluable tool 
both for auditing your network and for learning. 

Yesterday I got a bunch of :

[**] [1:523:1] MISC IP Reserved bit set [**]
10/08-11:10:29.567869 EXTERNAL_NET -> HOME_NET
PROTO204 TTL:153 TOS:0x0 ID:153 IpLen:12 DgmLen:200

(I replaced the real addresses by EXTERNAL_NET and HOME_NET)
I got more than 6000 of these within 3 hours, then it stopped...
There are many different sources and targets.

I run snort V1.8 :
Version 1.8-RELEASE (Build 43)
By Martin Roesch (roesch at ...1935..., www.snort.org)

=> Could somebody explain to me what are these alerts ?

Also I am running two different versions of snort on two slightly
different
machines on the same mirrored port of a switch. 
These are V1.7 and the already mentioned V1.8-build 43. 

Both of them are dumping core about once a week. 

V1.7 runs on Linux RedHat 7.0, Kernel : 2.2.16-22
V1.8 runs on Linux RedHat 7.0, kernel : 2.2.19-7.0.8

=> Any idea of what is making snort crash ? Can I help by sending 
   a core file ?

Thank you.

Jean-Michel BARBET.

-- 
------------------------------------------------------------------------
Jean-michel BARBET                    | Tel: +33 (0)2 51 85 84 86 
Laboratoire SUBATECH Nantes France    | Fax: +33 (0)2 51 85 84 79
CNRS-IN2P3/Ecole des Mines/Universite | E-Mail: barbet at ...3724...
------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list